[clug] Pop quiz.. (DHCP and servers).
jm
jeffm at ghostgun.com
Wed Jan 14 23:38:51 GMT 2009
Half true from what I've been told. First anything I say may be Entrasys
specific as the guy I just asked about this is an Entrasys specialist.
Any mistakes here are mine. You have been warned.
Your right in that various versions of operating systems have varying
levels of support of 802.1x. The latest versions of windoze, and mac
support it out of the box. Linux definately has support although I'm not
sure which distros have it has a standard package. In order to get
around this your network infrastructure needs a fall back strategy. I
know Entrasys will support fall back methods such as mac addresses and
snooping on other authentication protocols to select the correct policy
to apply to the switch port the device is plugged into. Note that this
is a policy not just a decision to turn the port on or off. This means
that a printer would have a policy which would only allow it to talk to
the print server. As such, should the print be compromised it can not do
anything to harm the rest of the network. Further, as a bonus everything
the printer prints has to go through the print server so you can keep an
accurate log of what is printed. This may be important in some
situations. Likewise, you can apply a policy limits what a server or
desktop machine can access - think ACLs on every port based on what the
policy say the machine is allowed to do. In the case of desktop machines
this can be assigned based on whois logged into the machine. Much better
than having a choke point and over loading a firewall only to have much
of you internal network unprotected.
To get back on track the lastest versions of the most popular OS all
support 802.1x and where it's not available or casues grief there are
fall back strategies which can be applied on the fly automatically. To
address the difficulties you raise about interoperability, once you
tweak it to suit your needs, which is the hard bit needs, you should
just have to make it part of you SOE as I'm assuming you would be making
this part of a large rollout not just one or two machines.
Jeff.
Daniel Pittman wrote:
> That would be, as Andrew pointed out earlier, because you get caught up
> when something doesn't support 802.1x. Given that includes common
> desktop platforms like Windows, Linux and MacOS, along with most
> appliances, you can see where the problems start.
>
> (and, yes, most of them can do 802.1x, but if you have ever tried to get
> them interoperating, or configure it, you might not be so enthusiastic :)
>
> Regards,
> daniel
>
More information about the linux
mailing list